Security Programs

Infosec

Link	Notes
Information Security Services functions	Each section within the Information Security Services function is compromised of numerous departments, each with their own functions to support the larger department

Product / DevOps

Link	Notes
Netflix The Paved Road at Netflix
Netflix Netflix Culture Meets Product Security	Security is the responsibility of each individual product team Security is the responsibility of the security team
Netflix Scaling Appsec at Netflix	Operational Appsec capabilities: traditional Appsec activities Security Partnerships: driving holistic security improvements to drive down risk Appsec Automation: build a comprehensive app inventory and enable self-service security guidance
Cruise Building a Container Platform at Cruise	Environments & Tenants, Infrastructure Boundaries, Platform Boundaries
Cruise Container Platform Security at Cruise	Identity, Authentication, Authorization, Secrets, Encryption
Cruise Container Platform Networking at Cruise	GCP Hybrid Connectivity Options
Security maturity levels of Product Security Teams	Grouping dev teams into 4 security maturity levels
Cloudflare Startup Security: Starting a Security Program at a Startup	Relationships Security Culture Compromise and Continuous Improvement

AppSec Specific

Link	Notes
An opinionated guide to scaling your company's security	Clint's talk summarising approaches from multiple companies
Uber The Path to Code Provenance	Strategy for ensuring we have a verifiable attestation of the origin of all code running in production
The Art of Vulnerability Management	How to create a positive vulnerability management culture and process that works for engineers and the security team
Beyond The Security Team
Implement Security Champions Programme	Main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes
How we run our bug bounty program at Segment
A Guide to Threat Modelling for Developers	Clear and simple steps to help teams that want to adopt threat modelling
Awesome Threat Modeling
Appsec Development: Keeping it all together at scale	Project Risk assessment: Help teams manage risk to their timeline and help security schedule penetration tests Security Impact Assessment: Let teams quickly exit the review process without the need for peer review Risk Assessment: Identify potentially risky items with peer review Threat Model: Analyze risky designs and create mitigations
Creating Security Decision Trees With Graphviz

Teams

Link	Notes
The Actual Cybersecurity Workforce Challenge	There is a cybersecurity skills crisis, but the answer is not to simply focus on creating more trained cybersecurity professionals

Risk / Compliance

Link	Notes
The SOC2 Starting Seven	7 things you can do now that will simplify SOC2 for you down the road while making security posture materially better in the immediacy
Cybersecurity and the Board : A Fresh Perspective?	How to represent cybersecurity (or technology / information risks more generally) to the Board
Prioritizing Cloud Risk Requires Context to be Effective	Prioritizing risk mitigation based on CIS output alone misses something critical: organizational context
Open-Sourcing riskquant, a library for quantifying risk
Experimenting with visualizations and code risk overview

Checklists

• Security Control checklist for startups
• SaaS CTO
• First Security Engineer
• DevOps Security
• DevSecOps Security
• Pentest
• Production Ready
• Security checklist for businesses on GApps